[stunnel-users] stunnel server configuration requirement to handle CBC protection

Tue Nov 5 11:45:21 CET 2013

Dear Janusz,
Apologies for unclear information in my previous posting.

The setup is...

Phone                     Stunnel                   Client
TCP server     <-----     TLS Server     <-----     Java based Client (HTTPS protocol)
(Simple socket)
Sets up new
TCP connection ----->     TLS Server     ----->     with tomcat server.

I have also requested more information from the developers of the Java based Client.
I had simply pasted the information from their fault report.

Apologies for any confusion.
Look forward to your response.

Thanks..
John

-----Original Message-----
From: Janusz Dziemidowicz [mailto:rraptorr at nails.eu.org] 
Sent: 05 November 2013 10:21
To: Simner, John
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] stunnel server configuration requirement to handle CBC protection

2013/11/4 Simner, John <john.simner at unify.com>
>
> Hi,
>
> Having recently used stunnel on the phone as a server to encrypt the communication between an external client and a simple TCP server socket on the phone, one of the clients have raised the following….
>
> Phone resets a TLS conection from client, when CBC protection is enabled on tomcat server.
>
> The phone syslog shows:
> Oct 28 14:26:14 10 user.crit syslog: CommsChannelExtenderRx(28881): ./src/CommsChannelExtenderRx.cpp:186 Header section invalid
>
> To prevent a SSL/TLS BEAST attack (CVE-2011-3389) Oracle Java (JSSE) has implemented a CBC protection which can be set with System Property jsse.enableCBCProtection. The default value is true.
>
> What was done:
>
> Start client and connect it with a phone.
> The TLS connection is established, but then the phone resets the connection, and client is not working.
>
> When I set jsse.enableCBCProtection to false at the tomcat server, the phone accepts the connection and client is working.
>
> To prevent man-in-the-middle attacks, the phone should be able to handle the fragmented TLS block when CBC protection is activated on the client tomcat server.
>
>
>
>
>
> I have been unable to find the appropriate stunnel configuration item to support this.
>
> Please could you inform me how this is handled through stunnel.
>
>
>
> Thank you for your assistance and I look forward to your responses.

It is really unclear from your e-mail what is connecting to what.
First you state that you use stunnel as a server on a phone and
something connects to it. Then you describe a Tomcat server and
something that looks like a bug report that a phone is unable to
connect to this Tomcat server. It is really unclear what is your
configuration and what is trying to connect to stunnel and where does
a Tomcat server sit in this setup.
Please provide accurate and detailed description of your setup, maybe
then someone will be able to help.

-- 
Janusz Dziemidowicz